MAC Aggregation Resilient to DoS Attacks

In today's and future building management systems, scores of cheap low-power sensors report measurements, such as temperature, electricity consumption and other parameters, to a control node. To save power and reduce deployment costs, it is often the case that data is sent wirelessly, and sensors serve as relay nodes that retransmit messages from other, more remote sensors. To prevent en route accidental and malicious data corruption, each message is authenticated with a MAC (Message Authentication Code), keyed with a key known to the generating sensor and the control node. Because transmission channel capacity is often small, MACs represent a significant overhead. Indeed, a typical 128-bit MAC is as much as an order of magnitude larger than the data it authenticates - a temperature or consumption reading, even with a timestamp, can be stored in 10-15 bits. To mitigate these overheads, methods to compute aggregate MACs, of length much shorter than the concatenation of constituent MACs, were proposed in cryptographic community. However, these MACs are not resilient to denial-of-service (DOS) attacks, where a rogue node or a man-in-the-middle attacker can easily disrupt the entire set of MACs, and hence prevent using all of the transmitted data. In this work we propose a new way of MAC aggregation, which will allow the relay sensors to greatly reduce transmission overhead due to MACs, while achieving full unforgeability, and, simultaneously, much stronger resilience to DOS attacks.